From 810acea6b1db256d9481dc025c1b13a768900009 Mon Sep 17 00:00:00 2001
From: Will Szumski <will@stackhpc.com>
Date: Thu, 7 May 2020 12:38:29 +0100
Subject: [PATCH] Improve fernet_token_expiry precheck

The pre-check was broken, see bug report for details.

Change-Id: I089f1e288bae6c093be66181c81a4373a6ef3de4
Closes-Bug: #1856021
---
 ansible/roles/keystone/tasks/precheck.yml     | 27 +++++++++++++------
 ...fix-fernet-pre-check-5efbdfe43a2776e3.yaml |  6 +++++
 2 files changed, 25 insertions(+), 8 deletions(-)
 create mode 100644 releasenotes/notes/fix-fernet-pre-check-5efbdfe43a2776e3.yaml

diff --git a/ansible/roles/keystone/tasks/precheck.yml b/ansible/roles/keystone/tasks/precheck.yml
index 633c3fc70a..1ca2f0a6f3 100644
--- a/ansible/roles/keystone/tasks/precheck.yml
+++ b/ansible/roles/keystone/tasks/precheck.yml
@@ -49,12 +49,23 @@
     - keystone_ssh.enabled | bool
     - inventory_hostname in groups['keystone']
 
-- name: Checking fernet_token_expiry in globals.yml. Update fernet_token_expiry to allowed value if this task fails
+- name: Checking fernet_token_expiry
   run_once: true
-  command:
-    cmd: awk '/^fernet_token_expiry/ { print $2 }' "{{ node_config }}/globals.yml"
-  delegate_to: localhost
-  register: result
-  changed_when: false
-  failed_when:
-    - result.stdout | regex_replace('(60|120|180|240|300|360|600|720|900|1200|1800|3600|7200|10800|14400|21600|28800|43200|86400|604800)', '') is search(".+")
+  assert:
+    that:
+      - fernet_token_expiry is number
+      # Check that it is not a floating point number
+      - fernet_token_expiry | int == fernet_token_expiry
+      - fernet_token_expiry >= 0
+      # NOTE(wszumski): fernet_rotate_cron_generator.py doesn't support a span
+      # greater than a week.
+      - fernet_token_expiry <= 604800
+    msg: >-
+      fernet_token_expiry must be an integer up to and including 604800. You can
+      set this in `globals.yml`. The value represents the time period, in
+      seconds, at which to rotate the fernet keys. Suggested values are: 60,
+      120, 240, 480, 720, 1440, 3600, 7200, 10800, 14400, 21600, 43200, 60480,
+      120960, 151200, 201600, 302400, 604800. These values ensure an evenly-spaced
+      run schedule as they divide 7 days without remainder.
+  when:
+    - keystone_token_provider == 'fernet'
diff --git a/releasenotes/notes/fix-fernet-pre-check-5efbdfe43a2776e3.yaml b/releasenotes/notes/fix-fernet-pre-check-5efbdfe43a2776e3.yaml
new file mode 100644
index 0000000000..35c3066633
--- /dev/null
+++ b/releasenotes/notes/fix-fernet-pre-check-5efbdfe43a2776e3.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixes an issue where ``fernet_token_expiry`` would fail the pre-checks
+    despite being set to a valid value. Please see `bug 1856021
+    <https://bugs.launchpad.net/kolla-ansible/+bug/1856021>`_ for more details.